import bluez-5.52-1.el8

2020-07-28 05:28:54 -04:00 · 2020-07-28 05:28:54 -04:00 · bfa1dc9e35
commit bfa1dc9e35
parent e78b0878c6
11 changed files with 254 additions and 98 deletions
--- a/.bluez.metadata
+++ b/.bluez.metadata
@ -1 +1 @@
-a59289c91ccb7fac248e916838d4e66d7936151e SOURCES/bluez-5.50.tar.xz
+75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/bluez-5.50.tar.xz
+SOURCES/bluez-5.52.tar.xz
--- a/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch
+++ b/SOURCES/0001-HOGP-must-only-accept-data-from-bonded-devices.patch
@ -0,0 +1,37 @@
 From 89fb68570e72a854f10d50bec99112d294597483 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Fri, 24 Apr 2020 16:06:37 +0530
 Subject: [PATCH BlueZ 1/2]     HOGP must only accept data from bonded devices.
 commit 8cdbd3b09f29da29374e2f83369df24228da0ad1
 Author: Alain Michaud <alainm@chromium.org>
 Date:   Tue Mar 10 02:35:16 2020 +0000
    HOGP must only accept data from bonded devices.
    HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
    Reference:
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
 ---
 profiles/input/hog.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/profiles/input/hog.c b/profiles/input/hog.c
 index 23c9c1529..f8a82bc20 100644
 --- a/profiles/input/hog.c
 +++ b/profiles/input/hog.c
@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
 			return -EINVAL;
 	}
 +	/* HOGP 1.0 Section 6.1 requires bonding */
 +	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
 +		return -ECONNREFUSED;
 +
 	/* TODO: Replace GAttrib with bt_gatt_client */
 	bt_hog_attach(dev->hog, attrib);
 -- 
 2.21.1
--- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
+++ b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch
@ -1,35 +1,41 @@
 From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 8 Jun 2020 20:56:46 +0530
 Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir
 From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 20 Sep 2017 12:49:10 +0200
-Subject: [PATCH 1/4] build: Always define confdir and statedir
+
 build: Always define confdir and statedir
 As we will need those paths to lock down on them.
 ---
- Makefile.am | 6 +++---
+ Makefile.am | 5 +++--
- 1 file changed, 3 insertions(+), 3 deletions(-)
+ 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
-index 555f301ca..1c38d94e5 100644
+index 84c9712c9..6e77ed91e 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -30,14 +30,14 @@ include_HEADERS =
+@@ -31,14 +31,15 @@ pkginclude_HEADERS =
- AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS)
+ AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
 AM_LDFLAGS = $(MISC_LDFLAGS)
 +confdir = $(sysconfdir)/bluetooth
 +statedir = $(localstatedir)/lib/bluetooth
 +
 if DATAFILES
- dbusdir = @DBUS_CONFDIR@/dbus-1/system.d
+ dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
 dbus_DATA = src/bluetooth.conf
 -confdir = $(sysconfdir)/bluetooth
 conf_DATA =
-
+ 
 -statedir = $(localstatedir)/lib/bluetooth
 state_DATA =
 endif
 -- 
-2.14.1
+2.21.1
--- a/SOURCES/0001-build-Enable-BIND_NOW.patch
+++ b/SOURCES/0001-build-Enable-BIND_NOW.patch
@ -1,31 +0,0 @@
 From e45c8fdcb3d7cdb654f6819c02d1bbb5b40b6116 Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Thu, 7 Nov 2013 09:23:35 +0100
 Subject: [PATCH 1/4] build: Enable BIND_NOW
 Partial RELRO means that the object is GNU_RELRO but not BIND_NOW.  This
 reduces the effectiveness of RELRO.  bluez triggers this because it
 enables PIE during the build, and rpmdiff takes this as an indicator
 that the best possible hardening is desired.
 https://bugzilla.redhat.com/show_bug.cgi?id=983161
 ---
 acinclude.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/acinclude.m4 b/acinclude.m4
 index bc39c6d73..efce2f3cb 100644
 --- a/acinclude.m4
 +++ b/acinclude.m4
@@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [
 		if (test "${enableval}" = "yes" &&
 				test "${ac_cv_prog_cc_pie}" = "yes"); then
 			misc_cflags="$misc_cflags -fPIC"
 -			misc_ldflags="$misc_ldflags -pie"
 +			misc_ldflags="$misc_ldflags -pie -Wl,-z,now"
 		fi
 	])
 	if (test "$enable_coverage" = "yes"); then
 -- 
 2.14.1
--- a/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch
+++ b/SOURCES/0002-HID-accepts-bonded-device-connections-only.patch
@ -0,0 +1,144 @@
 From b84b23845ec9730b783f4e6efcee70c8b2f09f29 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Fri, 24 Apr 2020 16:27:58 +0530
 Subject: [PATCH BlueZ 2/2]     HID accepts bonded device connections only.
 commit 3cccdbab2324086588df4ccf5f892fb3ce1f1787
 Author: Alain Michaud <alainm@chromium.org>
 Date:   Tue Mar 10 02:35:18 2020 +0000
    HID accepts bonded device connections only.
    This change adds a configuration for platforms to choose a more secure
    posture for the HID profile.  While some older mice are known to not
    support pairing or encryption, some platform may choose a more secure
    posture by requiring the device to be bonded  and require the
    connection to be encrypted when bonding is required.
    Reference:
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
 ---
 profiles/input/device.c   | 23 ++++++++++++++++++++++-
 profiles/input/device.h   |  1 +
 profiles/input/input.conf |  8 ++++++++
 profiles/input/manager.c  | 13 ++++++++++++-
 4 files changed, 43 insertions(+), 2 deletions(-)
 diff --git a/profiles/input/device.c b/profiles/input/device.c
 index 84614784d..3abd2f592 100644
 --- a/profiles/input/device.c
 +++ b/profiles/input/device.c
@@ -91,6 +91,7 @@ struct input_device {
 static int idle_timeout = 0;
 static bool uhid_enabled = false;
 +static bool classic_bonded_only = false;
 void input_set_idle_timeout(int timeout)
 {
@@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state)
 	uhid_enabled = state;
 }
 +void input_set_classic_bonded_only(bool state)
 +{
 +	classic_bonded_only = state;
 +}
 +
 static void input_device_enter_reconnect_mode(struct input_device *idev);
 static int connection_disconnect(struct input_device *idev, uint32_t flags);
@@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev)
 	if (device_name_known(idev->device))
 		device_get_name(idev->device, req->name, sizeof(req->name));
 +	/* Make sure the device is bonded if required */
 +	if (classic_bonded_only && !device_is_bonded(idev->device,
 +				btd_device_get_bdaddr_type(idev->device))) {
 +		error("Rejected connection from !bonded device %s", dst_addr);
 +		goto cleanup;
 +	}
 +
 	/* Encryption is mandatory for keyboards */
 -	if (req->subclass & 0x40) {
 +	/* Some platforms may choose to require encryption for all devices */
 +	/* Note that this only matters for pre 2.1 devices as otherwise the */
 +	/* device is encrypted by default by the lower layers */
 +	if (classic_bonded_only || req->subclass & 0x40) {
 		if (!bt_io_set(idev->intr_io, &gerr,
 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
 					BT_IO_OPT_INVALID)) {
@@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
 	DBG("path=%s reconnect_mode=%s", idev->path,
 				reconnect_mode_to_string(idev->reconnect_mode));
 +	/* Make sure the device is bonded if required */
 +	if (classic_bonded_only && !device_is_bonded(idev->device,
 +				btd_device_get_bdaddr_type(idev->device)))
 +		return;
 +
 	/* Only attempt an auto-reconnect when the device is required to
 	 * accept reconnections from the host.
 	 */
 diff --git a/profiles/input/device.h b/profiles/input/device.h
 index 51a9aee18..3044db673 100644
 --- a/profiles/input/device.h
 +++ b/profiles/input/device.h
@@ -29,6 +29,7 @@ struct input_conn;
 void input_set_idle_timeout(int timeout);
 void input_enable_userspace_hid(bool state);
 +void input_set_classic_bonded_only(bool state);
 int input_device_register(struct btd_service *service);
 void input_device_unregister(struct btd_service *service);
 diff --git a/profiles/input/input.conf b/profiles/input/input.conf
 index 3e1d65aae..166aff4a4 100644
 --- a/profiles/input/input.conf
 +++ b/profiles/input/input.conf
@@ -11,3 +11,11 @@
 # Enable HID protocol handling in userspace input profile
 # Defaults to false (HIDP handled in HIDP kernel module)
 #UserspaceHID=true
 +
 +# Limit HID connections to bonded devices
 +# The HID Profile does not specify that devices must be bonded, however some
 +# platforms may want to make sure that input connections only come from bonded
 +# device connections. Several older mice have been known for not supporting
 +# pairing/encryption.
 +# Defaults to false to maximize device compatibility.
 +#ClassicBondedOnly=true
 diff --git a/profiles/input/manager.c b/profiles/input/manager.c
 index 1d31b0652..5cd27b839 100644
 --- a/profiles/input/manager.c
 +++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
 	config = load_config_file(CONFIGDIR "/input.conf");
 	if (config) {
 		int idle_timeout;
 -		gboolean uhid_enabled;
 +		gboolean uhid_enabled, classic_bonded_only;
 		idle_timeout = g_key_file_get_integer(config, "General",
 							"IdleTimeout", &err);
@@ -114,6 +114,17 @@ static int input_init(void)
 			input_enable_userspace_hid(uhid_enabled);
 		} else
 			g_clear_error(&err);
 +
 +		classic_bonded_only = g_key_file_get_boolean(config, "General",
 +						"ClassicBondedOnly", &err);
 +
 +		if (!err) {
 +			DBG("input.conf: ClassicBondedOnly=%s",
 +					classic_bonded_only ? "true" : "false");
 +			input_set_classic_bonded_only(classic_bonded_only);
 +		} else
 +			g_clear_error(&err);
 +
 	}
 	btd_profile_register(&input_profile);
 -- 
 2.21.1
--- a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+++ b/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
@ -1,7 +1,13 @@
 From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 8 Jun 2020 19:54:24 +0530
 Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
 From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
 From: Craig Andrews <candrews@integralblue.com>
 Date: Wed, 13 Sep 2017 15:23:09 +0200
-Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
+
 systemd: Add PrivateTmp and NoNewPrivileges options
 PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
 namespace. This is useful to secure access to temporary files of the
@ -15,7 +21,7 @@ possible privilege escalations.
 1 file changed, 6 insertions(+)
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index f799f65f0..a6f3030f9 100644
+index f9faaa452..7c2f60bb4 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
@ -34,5 +40,5 @@ index f799f65f0..a6f3030f9 100644
 [Install]
 WantedBy=bluetooth.target
 -- 
-2.14.1
+2.21.1
--- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
+++ b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
@ -1,7 +1,13 @@
 From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 8 Jun 2020 19:55:39 +0530
 Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
 From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:37:11 +0200
-Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
+
 systemd: Add more filesystem lockdown
 We can only access the configuration file as read-only and read-write
 to the Bluetooth cache directory and sub-directories.
@ -11,20 +17,20 @@ to the Bluetooth cache directory and sub-directories.
 2 files changed, 6 insertions(+)
 diff --git a/Makefile.am b/Makefile.am
-index 1c38d94e5..13ccf9079 100644
+index cdd2fd8fb..0af1a8c45 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
+@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
- 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
+ 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
 +		       -e 's,@statedir\@,$(statedir),g' \
 +		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
 %.service: %.service.in Makefile
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index a6f3030f9..7e55b5043 100644
+index 7c2f60bb4..4daedef2a 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
@ -39,5 +45,5 @@ index a6f3030f9..7e55b5043 100644
 # Privilege escalation
 NoNewPrivileges=true
 -- 
-2.14.1
+2.21.1
--- a/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch
+++ b/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch
@ -1,41 +0,0 @@
 From 07a12a6685ea57be18f39e349dbc42e4af3744ed Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Tue, 5 Sep 2017 10:32:15 +0200
 Subject: [PATCH 3/4] tools/csr_usb: Fix compilation failure
 GCC's "format-nonliteral" security check is enabled as an error in
 recent versions of Fedora. Given the reduced scope of use, mark the
 error as ignorable through pragma.
 tools/csr_usb.c: In function 'read_value':
 tools/csr_usb.c:82:2: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
  n = fscanf(file, format, &value);
  ^
 ---
 tools/csr_usb.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/tools/csr_usb.c b/tools/csr_usb.c
 index a1d7324f7..33e9968a2 100644
 --- a/tools/csr_usb.c
 +++ b/tools/csr_usb.c
@@ -67,6 +67,8 @@ struct usbfs_bulktransfer {
 #define USBFS_IOCTL_CLAIMINTF	_IOR('U', 15, unsigned int)
 #define USBFS_IOCTL_RELEASEINTF	_IOR('U', 16, unsigned int)
 +#pragma GCC diagnostic push
 +#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 static int read_value(const char *name, const char *attr, const char *format)
 {
 	char path[PATH_MAX];
@@ -88,6 +90,7 @@ static int read_value(const char *name, const char *attr, const char *format)
 	fclose(file);
 	return value;
 }
 +#pragma GCC diagnostic pop
 static char *check_device(const char *name)
 {
 -- 
 2.14.1
--- a/SOURCES/0004-systemd-More-lockdown.patch
+++ b/SOURCES/0004-systemd-More-lockdown.patch
@ -1,7 +1,13 @@
 From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
 From: Gopal Tiwari <gtiwari@redhat.com>
 Date: Mon, 8 Jun 2020 19:56:42 +0530
 Subject: [PATCH BlueZ 4/4] systemd: More lockdown
 From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:38:26 +0200
-Subject: [PATCH 4/4] systemd: More lockdown
+
 systemd: More lockdown
 bluetoothd does not need to execute mapped memory, or real-time
 access, so block those.
@ -10,7 +16,7 @@ access, so block those.
 1 file changed, 6 insertions(+)
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index 7e55b5043..e8267b338 100644
+index 4daedef2a..f18801866 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
@ -30,5 +36,5 @@ index 7e55b5043..e8267b338 100644
 WantedBy=bluetooth.target
 Alias=dbus-org.bluez.service
 -- 
-2.14.1
+2.21.1
--- a/SPECS/bluez.spec
+++ b/SPECS/bluez.spec
@ -1,6 +1,6 @@
 Name:    bluez
 Summary: Bluetooth utilities
-Version: 5.50
+Version: 5.52
 Release: 1%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
@ -15,8 +15,8 @@ Source3: btattach-bcm@.service
 Source4: btattach-bcm-service.sh
 # https://github.com/hadess/bluez/commits/build-fixes-5.46
-Patch1: 0001-build-Enable-BIND_NOW.patch
+#Patch1: 0001-build-Enable-BIND_NOW.patch
-Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch
+#Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch
 # https://github.com/hadess/bluez/commits/obex-5.46
 Patch3: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
@ -33,6 +33,12 @@ Patch23: 0004-systemd-More-lockdown.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1567622
 Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
 #Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch 
 #Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch 
 Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
 Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@ -220,6 +226,7 @@ make check
 %{_bindir}/mpris-proxy
 %{_bindir}/gatttool
 %{_bindir}/rctest
 %{_datadir}/zsh/site-functions/_bluetoothctl
 %{_mandir}/man1/btattach.1.gz
 %{_mandir}/man1/ciptool.1.gz
 %{_mandir}/man1/hcitool.1.gz
@ -241,6 +248,7 @@ make check
 %{_unitdir}/btattach-bcm@.service
 %{_udevrulesdir}/69-btattach-bcm.rules
 %files libs
 %{!?_licensedir:%global license %%doc}
 %license COPYING
@ -266,6 +274,21 @@ make check
 %{_userunitdir}/obex.service
 %changelog
 * Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
 + bluez-5.52-1
 - Fixing (#1830397)
 * Fri Apr 24 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-4
 + bluez-5.50-4
 - Fixing CVE-2020-0556
 * Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-3
 + bluez-5.50-3
 - Bump the version 
 * Mon Jan 13 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.50-2
 + bluez-5.50-2
 - Fixing CVE-2018-10910 (#1606373)
 * Fri Sep 7 2018 Gopal Tiwari <gtiwari@redhat.com> - 5.50-1
 + bluez-5.50-1
`@ -1 +1 @@`
	`a59289c91ccb7fac248e916838d4e66d7936151e SOURCES/bluez-5.50.tar.xz`	`75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz`
`@ -1 +1 @@`
	`SOURCES/bluez-5.50.tar.xz`	`SOURCES/bluez-5.52.tar.xz`